Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Account Lockout

Posted on 2011-03-08
7
Medium Priority
?
384 Views
Last Modified: 2012-05-11
I have a few user accounts.  Mine being one of them that keep getting locked out.  I checked the security logs on the system and it is constantly coming from a single machine on the network.  This just started today.  If I turn the machine off then all is well.  If I turn it back on...  well I'm guessing one of the services is using credentials.  The other is a user that is no longer with the company, and who's account has been disabled for quite some time.  Is there a way I can find out what services are using these credentials on the server??  Any guidance would be greatly appreciated.
0
Comment
Question by:Infamous_Q
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 2000 total points
ID: 35075064
0
 
LVL 3

Expert Comment

by:Rhyseh
ID: 35075145
We had a similar issue some years ago where one of our servers missed an update and got a malware infection. It then proceeded to attempt and brute force its way into our network by repeatedly sending validation requests with random users account names. This cause the accounts to become locked.

We fixed this by patching the server and manually stamping out the infection, however if this is a client machine I would just give it a reimage and get rid of this headache.
0
 
LVL 8

Expert Comment

by:Nivlesh
ID: 35077481
Since you traced it to one computer, you are already half way there. Next you have to check all services.

BTW, what OS is the offending machine running? If Windows 2000 + then go to start\run\ and then type services.msc and press OK. This will start the services applet. In here check the Log On As Column to see if the account that is being locked out is there.

Also, internet explorer might be trying to access a server with the username that is locked out. Check all passwords that are stored on the machine. In XP you can type control userpasswords2 and see all the username/passwords stored. In Win7, open control panel, go to user accounts then click on Manage your credentials. Also, you can use Internet Explorer to delete all history,stored forms passwords etc.

The last thing to check is if there is any program running that might be trying to login to your servers. Open up the Task Manager and see if there is any "dodgy" process. Kill it and try to stop it from starting again, restart the computer and monitor.

It is a slow process to get this sorted but if you follow the correct path, you will get there.

Regards
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 3

Expert Comment

by:sam0x01
ID: 35079267
Any authentication request from that computer could be causing it.

This may come from a service, scheduled task, program that runs in the backgound.

Running schtasks /v on the computer or schtasks /S [computername] /v remotely while the computer is powered on will show the scheduled tasks and the credentials they run under

Running wmic service get displayname,state,startname will show the services, state and username

Running wmic /node:[computername] service get displayname,state,startname remotely will do the same.

If this is a program not runnign as a scheduled task or a service, if it is a desktop, rebuilding it would bethe easiest thing to do.

Otherwise opening each installed program and script on the server will eventually find the one that is causing it.
0
 
LVL 2

Author Comment

by:Infamous_Q
ID: 35083955
Thanks for all of the advice.  I will be working on this issue today to see where the problem is.  I'll post an update as soon as I have something.
0
 
LVL 2

Author Comment

by:Infamous_Q
ID: 35096137
So the services on the system are all running as local or network services, and I just finished running a full scan for virus/spy ware.  Nothing so far. there are also no scheduled tasks on the machine.  To answer an above question this is a server 2003 machine.  However its not running all of the latest updates.  I will update the machine and install the lockout tools and post results.
0
 
LVL 2

Author Comment

by:Infamous_Q
ID: 35117149
I updated the system to the most recent.  And Used the tools.  After finding the reason using the tools I was able to kill the rogue service and fix things.  Thanks Very much for all of your help.
0

Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows 10 Creator Update has just been released and I have it working very well on my laptop. Read below for issues, fixes and ideas.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question